> Hi, > > thanks for the logs. The issue does not happen during Kerberos ticket > validation, as I thought but while trying to establish the FAST tunnel. > > There should be two way to solve this. The first is setting > > krb5_use_fast = never > > in the [domain/...] section of sssd.conf on every IPA client. The second > is to reestablish the trust as two-way trust with the '--two-way=True' > option of 'ipa trust-add'. I would recommend the latter. > > HTH > > bye, > Sumit >
Hi Sumit, I'm taking Mateo's place here because he's busy with other things. Sorry for the delay. We tried two-way trust on a brand new IdM server for a new IdM domain (since the old server was giving others errors - we probably messed it up at some point), and we're back to square one: AD users without expiring password can login on the new IdM server with ssh, and for those with expired passwords journalctl gives: Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: Password has expired Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: KDC reply did not match expectations I really don't know if behind the scenes it's exactly the same problem as the first time, but it shouldn't since we updated the Samba servers to version 4.16.0 which has FAST support (as was noted in the Samba users list). I'm wondering at the moment if the samba-client package on the IdM server, that is version 4.14.5, could affect it or if it doesn't matter. How do you think I can continue from here? Thank you very much, tizo _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure